Facebook has admitted it stored up to 600 million customers' passwords insecurely

Doris Richards
March 22, 2019

Facebook says that it will notify each of the users whose passwords had been stored in this format.

This is at odds with what the insiders said, but it's possible Facebook is interpreting "improperly accessing the data" in a different way than the insiders that revealed the information to the press. "To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them", wrote Pedro Canahuati, Facebook's VP of Security and Privacy Engineering, in a blog post.

As per KrebsonSecurity, between 200 million and 600 million users could have been affected by this flaw, even though Facebook denies the possibility of this data being accessible to outsiders and refrains from sharing exact numbers. Facebook has now confirmed that it mistakenly stored some passwords in plaintext.

So far the inquiry has uncovered archives with plain text user passwords dating back to 2012, according to the report published this week by KrebsOnSecurity, a blog run by journalist Brian Krebs. Up to 20,000 employees could have accessed these passwords at any time, but the company claims there is now no indication that its employees accessed those passwords improperly.

He said he was shocked to hear about Facebooks password security, "I would have assumed that they were way more sophisticated then that".

Facebook plans to notify the affected users (presumably the lower bound of users that it considers affected) but doesn't intend to reset their passwords automatically. The company was condemned for letting a host of apps harvest users' data without their consent. Storing passwords in plain text is "unfortunately more common than most of the industry talks about", Jake Williams, president of Rendition Infosec, told reporters.

It's probably a good time to change your Facebook/Instagram password, just to be on the safe side. The company 'hash' and 'salt' the password with a function called 'scrypt' and a cryptographic key.

Adding to the series of problems of security in Facebook, the social media platform on March 21, Thursday, admitted that millions of users' passwords were stored in plain text for years and could have been read by anyone working in the company.

Other reports by Iphone Fresh

Discuss This Article